The wireless communication industry loses hundreds of millions of dollars a year to fraud. Much of the fraud comes from handset or mobile-telephone impersonators (e.g., unauthorized subscribers or users of wireless communications networks) using user identity information associated with legitimate handsets or mobile-telephones (e.g., authorized subscribers or users of wireless communications networks), such as mobile identification numbers (MIN) and/or electronic serial numbers (ESN), to gain system access to wireless communications networks. Many different techniques have been developed to reduce wireless communication fraud. Such techniques include using authentication protocols to verify whether a requesting handset or mobile-telephone (i.e., handset seeking to gain system access) is a legitimate handset or mobile-telephone.
Authentication protocols generally involve a handset transmitting an authentication code to a wireless communications network. The authentication code is a secret key associated with the handset and is used by the network to authenticate or verify whether the handset is a legitimate handset. The authentication code is either known to the handset and network, or may be determined independently by the handset and the network. If the handset's authentication code (i.e., authentication code transmitted by the handset) does not match the network's authentication code for the handset (i.e., authentication code known or determined by the network to be associated with the handset), the handset is not authenticated and will be denied system access to the wireless communications network. If the handset's authentication code matches the network's authentication code for the handset, the handset is authenticated and will be allowed system access to perform system access functions, such as registration, page response and call origination.
The background of the present invention will be described herein with reference to the well-known IS-41 standard, which is the North American standard for intersystem signaling for wireless communications networks. This should not, however, be construed to limit the present invention in any manner. The IS-41 standard defines authentication protocols which use a cryptographic function known as the Cellular Authentication and Voice Encryption (CAVE) algorithm to determine an authentication code. FIG. 1 is an illustration 10 showing a plurality of parameters x being used as inputs for the CAVE algorithm. At least one of the parameters x is a private key uniquely associated with the handset and is known only to the handset and the network. The parameters x are provided as inputs to the CAVE algorithm to obtain an authentication code. One notable feature of the CAVE algorithm is that no known method exists for reversing or breaking the CAVE algorithm.
In one implementation of the IS-41 standard, the CAVE algorithm is executed using a microprocessor or an Application Specific Integrated Circuit (ASIC), and the parameters x are stored in a plurality of registers (hereinafter referred to as CAVE registers) from which they are loaded into the microprocessor or ASIC. The CAVE registers include a 32 bit linear feedback shift register (LFSR), sixteen 1 byte registers (i.e., R00 through R15), and two 1 byte offset registers (i.e., offset 1 and offset 2).
The authentication protocols defined by the IS-41 standard include protocols for global challenges and unique challenges, as will be described herein. Global challenges require every handset attempting to gain system access to respond with an authentication code referred to herein as an authentication-random code (AUTHR). FIG. 2 illustrates the authentication protocol for a global challenge. A network 20 issues a global challenge by generating and broadcasting a global random number (RAND) to be used by every handset (attempting to gain system access) to respond with an AUTHR. The global challenge is received by a handset 22, which uses the RAND and other information as parameters for generating the AUTHR. Note that the handset 22 should respond with its AUTHR before expiration of a predetermined or random time interval, wherein the network 20 issues a new global challenge upon expiration of such time interval.
FIG. 3 illustrates the parameters for generating the AUTHR in response to a global challenge. The parameters are loaded from the CAVE registers 30 into a microprocessor 32 executing the CAVE algorithm. Specifically, the following AUTHR parameters are loaded from the CAVE registers 30 into the microprocessor 32: a secret shared data A (SSD-A) from registers R00-R07; an authentication algorithm version (AAV) from register R08; a MIN1 from registers R09-R11 if the handset wants to perform registration or page response; the last six digits of a telephone number to be dialed from registers R09-R11 if the handset wants to perform call origination; an electronic serial number (ESN) from registers R12-R15; the RAND from the LFSR; and a value of one hundred twenty eight (128) from offsets 1 and 2. The SSD-A is a private key known only to the network 20 and the handset 22; the AAV specifies the version of the CAVE algorithm being used to generate the authentication code; the MIN1 is the NXX-XXXX portion of a mobile identification number (MIN); and the ESN identifies the make and model of the handset 22. The RAND is typically XOR (i.e., exclusive OR) with the thirty-two most significant bits of the SSD-A, and then XOR with the thirty-two least significant bits of the SSD-A.
The handset 22 responds to the global challenge by transmitting to the network its output from the microprocessor 32 (i.e., AUTHR) along with its MIN and ESN. If the handset 22 wants to perform the call origination function, the handset 22 will also include the telephone number to be dialed in its response. The network 20 uses the MIN and/or ESN in the handset's response to determine the SSD-A and the AAV for the handset 22. For example, the network 20 uses one or more look-up tables that correlate MINs and/or ESNs to SSD-As and AAVs in order to determine a SSD-A and an AAV for a given MIN and/or ESN. Upon determining the SSD-A and AAV for the received MIN and/or ESN, the network 20 uses the appropriate version of the CAVE algorithm (as indicated by the AAV) to independently determine its AUTHR for authenticating the AUTHR received from the handset 20. Specifically, the network 20 uses as input parameters for the CAVE algorithm the SSD-A and AAV values determined by the network 20, the RAND generated by the network 20, the NXX-XXXX portion of the received MIN (i.e., MIN1), the received ESN and the value of one hundred twenty eight (128) for the offsets 1 and 2. Note that the last six digits of the received telephone number is substituted for the MIN1 if the handset wants to perform call origination. The network's AUTHR is compared to the handset's AUTHR (transmitted by the handset 22) to authenticate the handset 22.
If the handset's response to the global challenge fails or if the network 20 does not use global challenges to authenticate handsets, the network 20 may issue a unique challenge to authenticate handsets. Unlike a global challenge, a unique challenge is directed to a particular handset attempting to gain system access. FIG. 4 illustrates the authentication protocol for a unique challenge. The handset 22 transmits an access signal to the network 20. The access signal includes the handset's MN and ESN and an indication that the handset 22 wants to gain system access to perform a system access function, such as call origination, page response or registration. The network 20 issues a unique challenge to the handset 22 to respond with an authentication code referred to herein as an authentication-unique random code (AUTHR). The unique challenge includes the handset's MIN (to indicate the particular handset to which the unique challenge is directed) and a random-unique number (RANDU) generated by the network 20, which is to be used by the handset to respond with the AUTHU.
The handset 22 receives the unique challenge and uses the RANDU and other information as parameters for generating the AUTHU. FIG. 5 illustrates the parameters for generating the AUTHU in response to a unique challenge. The parameters are loaded from the CAVE registers 30 to the microprocessor 32 executing the CAVE algorithm. Specifically, the following parameters are loaded: the secret shared data A (SSD-A) from registers R00-R07; the authentication algorithm version (AAV) from register R08; the MIN1 from registers R09-R11; the electronic serial number (ESN) from registers R12-R15; the RANDU and MIN2 from the LFSR, wherein the MIN2 is the NPA portion (i.e., area code) of the mobile identification number; and a value of one hundred twenty eight (128) from offsets 1 and 2. Note that the AUTHU parameters differ from the AUTHR parameters in that the former parameters include the RANDU and MIN2 instead of the RAND, and the MIN1 for call origination instead of the last six digits of the telephone number to be dialed. The handset 22 responds by transmitting to the network 20 its AUTHU along with its MIN, ESN and/or telephone number to be dialed. The network 20 uses the MIN and ESN (received via the handset's response) to generate its own AUTHU for comparison with the handset's AUTHU (for purposes of authenticating the handset 22).
Both of the above-described authentication protocols have weaknesses which make it possible for an impersonator or cloner to steal services from a network by impersonating a legitimate handset. These weaknesses are typically subject to replay attacks wherein the impersonator intercepts an authentication code transmitted by a legitimate handset and replays (or re-transmits) the intercepted authentication code to the network. Thus, the impersonator pretends to be the legitimate handset in order to gain system access to the network.
FIG. 6 illustrates how an impersonator or cloner might respond to a global challenge using a replay attack. The impersonator comprises a network impersonator 36 (for portraying itself as a legitimate network to a legitimate handset) and a handset impersonator 38 (for portraying itself as a legitimate handset to a legitimate network). The network impersonator 36 obtains a victim handset 22's (i.e., legitimate handset) MIN and ESN by listening to communication channels over which the victim handset 22 typically transmits its MIN and ESN--that is, the network impersonator 36 intercepts the victim handset's MIN and ESN. About the same time or some time thereafter, the handset impersonator 38 listens for the RAND broadcaster by the network 20 via a global challenge. The handset impersonator 38 relays the RAND to the network impersonator 36, which page queries the victim handset 22 (i.e., solicits the victim handset 22 to respond with a page response) and issues a false global challenge with the RAND received by the handset impersonator 38 (and issued by the legitimate network 20).
The victim handset 22 receives the network impersonator's page query and global challenge (with the RAND) and determines an AUTHR using the RAND and its SSD-A, AAV, MIN1 and ESN (and the value of 128 for the offsets). Upon determining its AUTHR, the victim handset responds to the network impersonator's page query and global challenge with its MIN, ESN and AUTHR. The network impersonator 36 listens to the victim handset's response and relays it to the handset impersonator 38, which replays or sends it to the network 20 as the handset impersonator's response to the global challenge.
The above described replay attack on global challenges is effective for handset impersonators attempting to gain system access to perform page response or registration because the victim handset determined the AUTHR using the MIN1. Gaining system access to perform page response and registration allows the handset impersonator 38 to register as the victim handset 22 and receive telephone calls dialed to the victim handset's telephone number. However, the replay attack of FIG. 6 does not allow the handset impersonator 38 to gain system access to perform call origination because the last six digits of the telephone number to be dialed were not used by the victim handset as a parameter for determining the AUTHR (as required for call origination). Since the impersonator cannot make the victim handset 22 determine a AUTHR using a specific telephone number (i.e., telephone number handset impersonator wants to dial), the above described replay attack cannot be used by the impersonator to perform call origination.
The impersonator may, however, modify the replay attack of FIG. 6 to successfully respond to challenges on call origination using the MIN1 as the six least significant digits of the telephone number to be dialed, as will be described herein. As mentioned earlier, the MIN1 is a seven digit value being stored in registers R09-R11, which comprises twenty-four bits (i.e., eight bits per byte). Without encoding, four bits are used to represent a single digit. Thus, twenty-eight bits (i.e., four bits multiplied by seven digits) would be needed to represent the seven digit MIN1 without encoding. Since the registers R09-R11 comprises only twenty-four bits, the seven digit MIN1 needs to be encoded such that it may be represented using twenty-four bits (thus, allowing the seven digit MIN1 to fit within the registers R09-R11). If the twenty-four bits representing the seven digit MIN1 (hereinafter referred to as the "encoded MIN1") can be mapped to a six digit number, then a modification of the replay attack of FIG. 6 may be used to respond successfully to challenges on call origination.
For example, the network impersonator 36 listens for MIN's transmitted by possible victim handsets. When the network impersonator 36 finds a victim handset 22 with a MIN1 that, when encoded, can be mapped to a six digit number (such victim handset is also referred to herein as a mapped handset), the impersonator is ready to attack the authentication protocol. The handset impersonator 38 will then listen for the RAND transmitted by the network 20. The RAND is relayed to the network impersonator 36, which page queries and issues a challenge (with the RAND) to the mapped handset 22. The mapped handset 22 responds with its AUTHR, which was determined using its MIN1. The network impersonator 36 receives and relays the mapped handset's 22 AUTHR to the handset impersonator 38, which transmits the AUTHR, ESN and MIN of the victim handset, and a bogus telephone number. The bogus telephone number comprising a first part and a second part. The first part being the most significant digits of the bogus telephone number and including a telephone number the impersonator wants to dial. The second part being the least significant digits of the bogus telephone number and including the six digits mapped to the encoded MIN1 of the victim handset.
When the network 20 receives the handset impersonator's response, the network 20 will use the six least significant digits of the bogus telephone number, i.e., the second part, to determine its AUTHR. The network's AUTHR will match the AUTHR in the impersonator's response (i.e., victim handset's AUTHR determined using its MIN1), and the entire bogus telephone number will be provided to one or more communications networks (e.g., local exchange carriers and long distance carriers) to complete the telephone call. The communications networks will use as many of the bogus telephone number's most significant digits as necessary to complete or route the telephone call. The first part of the bogus telephone number will provide the communications networks with sufficient information to complete or route the call. The second part of the bogus telephone number will be ignored by the communications networks because all the necessary information for completing the call has already been provided by the first part. Thus, the second part does not affect the routing of the telephone number indicated by the first part, but assists the handset impersonator in gaining system access for performing call origination.
FIG. 7 illustrates how an impersonator or cloner might respond to a unique challenge using a replay attack. A replay attack upon a unique challenge first begins with the network impersonator 36 obtaining the MIN and ESN of the victim handset 22. The MIN and ESN are relayed to the handset impersonator 38, which uses the MIN and ESN to request system access to the network 20. The network 20 issues a unique challenge by generating and transmitting to the handset impersonator 38 a RANDU along with the MIN of the victim handset 22 (being used by the handset impersonator 38 to request system access). The handset impersonator 38 relays the RANDU number to the network impersonator 36 which, in turn, sends a unique challenge (using the RANDU and the victim handset's MIN) to the victim handset 22. The victim handset 22 responds with an AUTHU determined using the RANDU. The network impersonator 36 relays the AUTHU to the handset impersonator 38 which, in turn, replays the AUTHU in response to the unique challenge posed to the handset impersonator 38 by the network 20. The AUTHU transmitted by the handset impersonator 38 will match the network's AUTHU for the victim handset 22, thus the handset impersonator 38 gains system access to the network 20. Unlike global challenges, the telephone number being dialed by the victim handset (or handset impersonator) is never a function of the AUTHU. Thus, the handset impersonator can effectively respond to a unique challenge and gain system access to perform system access functions, including call origination.
Accordingly, there exists a need for strengthening authentication protocols against replay attacks by handset impersonators performing call origination.